Updated the Security Rule and the Breach Notifications portion of the HITECH Act in January 2013. Expanded requirements to include business associates in addition to covered entities. Updated definition of ‘significant harm’ during breach analysis: organizations must now prove that harm has not occurred, rather than that harm has occurred. PHI protection modified to fifty (50) years after patient death, rather than indefinite; penalties for PHI privacy violations made more severe.